Google Play Flaw Gives App Developers Purchaser's Information

from the uh,-why? dept

Google, being the undisputed search engine king, is no stranger to concerns over the privacy of its users. Everything from odd fears over their privacy policy to the images on Google maps has been hurled at them, with most of the intelligent analysis of said concerns amounting to indifferent shoulder shrugs. Privacy is important, of course, but there's yet to be any sense of malicious intent or gross oversight in these cases. Rather, they tend to fall into the category of potentially yet unlikely dangers brought about by the very nature of expanded technology.

"Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred," Nolan wrote on his blog. "With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase."

If accurate, Google making that information available is at best stupid. As the selling platform, there's simply no reason to do it. Why does the guy or girl who created the Fat Booth app that so delights my friends need to know where I sleep at night? It might be a case where there's confusion about the roles each one is playing. If Google merely views itself as a platform for others to create a store, then you could kind of see where this made sense. App developers are then setting up their own "store" where there are advantages to them having a direct relationship with their customers. The problem, however, is that users don't view it this way. They think of Google as "the store" and this looks like them handing over their private info to the suppliers. And that certainly feels like a pretty massive privacy breach.

More importantly, as the article notes, the implications on how malware creators could exploit this are even more worrisome.

With Google customers' details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed. These personal details could then be used to access the users' bank details. That's also more than enough information to be able to access your other devices which could also be mined for more data - insurance information, other credit cards - which could then be used to access your banking credentials.

Due to these very concerns, Nolan expresses his displeasure and discomfort with having that information at all. Worse, if there's any way to opt out of receiving it, he can't seem to find it. Just as worrisome as the flaw is the fact that no one else bothered to report it. Whether this was laziness, ignorance, or the very real possibility that many developers were doing something underhanded with their customers' information is unclear, but all three possibilities are damning to Google, which certainly should have known better. Worse yet, Google is quite clear in their TOS that it can store this information once you provide it, but there's is no mention of their passing along that data to app developers in their privacy statement.

While there's yet to be any response from Google as of the time of this writing, the original article did note that Google had already requested an amendment to the story, meaning what remains of it is likely accurate. The speed with which Google needs to fix this would be mach-infinity.

I'm still curious why businesses have any right to give out data. It shouldn't even be in the TOS. The only way they should be able to do it is if the user options in. I can see a small incentive being okay for that, but it shouldn't be able to be required to use a service (other than basic requirements of a system...)

Re:

With Google customers' details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed. These personal details could then be used to access the users' bank details. That's also more than enough information to be able to access your other devices which could also be mined for more data - insurance information, other credit cards - which could then be used to access your banking credentials.

Sounds more like FUD to me...

First, let me preface this by saying that I'm a HUGE fan of Techdirt and the writing here. I'm very much inline with about 99% of what you guys write here. Please don't think of me as one of the trolls who usually get beat up.

That said, to be frank, this is crap and FUD of a level I've never witnessed here before. You're pretty much taking worst case scenarios and trying to drum up panic. That's despicable and you should be ashamed.

Now, my background is selling apps too, in a different eco system than Google Play, though it works in much the same way. I write software that is sold on a third party site. I too get customer details (if they exist; with Paypal orders they do not) and, as a developer/business, I find this to be crucial to building a database of customers I can continue to work with and reach out to.

For me, as a business owner, I find this data invaluable. For example, I do like to reach out to customers who returned a product to find out the "why" (I want to improve things and this is sometimes the only way). I have yet, out of a few dozen returns, had anyone *ever* complain or feel this was crossing a line. Your pointing that out as a possible failure point just doesn't jive with my reality. At all.

I find it ridiculous that the store providing customer details to the software creators would be worthy of note much less concern. Building fear, uncertainty, and doubt over this should be an embarrassment to you all.

Re: Sounds more like FUD to me...

Thanks for the thoughtful feedback. I would contend that this kind of data sharing without consent of the user is a problem. That the possible negative outcomes of such unilateral sharing have to be speculated is a valid point, but in the context of user privacy it's still an issue. Most app developers may indeed use the data in benign ways, or not at all, but the malware problem still exists in a very real way.

Re: Sounds more like FUD to me...

I don't have a dog in this fight, other than to be a Google Play customer, but I don't see the problem here either. Normally I am a big fan of privacy, but in this case it seems that the app (seller) is receiving their customer information. If they didn't, then it could be argued that Google has inserted themselves into the transaction so deeply, that they get customer info but the app developer does not. So the app developer would know nothing about their customers other than they have some.

Re:

First, its not true, and if was, you're right, what is the problem. When paying with credit card, your address is standard fare. The developer console won't even give an email if the customer wants it that way.

"Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred," Nolan wrote on his blog. "With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase"

Sales tax

IIRC, the transaction is actually between the seller and buyer. Google is only the middle-man.
I'm a published developer with a paid app, and I've seen this. I thought it was odd at first. The customer can choose to hide their email, but I didn't see an option for hiding city location. However, I suspect this is so because of taxes.
Each developer is responsible for paying sales tax for their jurisdiction (since they are the seller, not Google). Without that information it would be impossible for some people to do so (depending on the area).
Google can handle this for you, but they have a disclaimer that the developer is responsible for any and all taxes, even if Google handles it.

Re: Re: Sounds more like FUD to me...

Big fan sir. Your comments and insight are some of the funniest, thought provoking, and interesting I've read and I'm flattered that you would take the time to respond to me.

I agree there is a possibility of negative outcomes but there are possibilities of negative outcomes with pretty much everything. Any time you give out personal information there's a possibiilty of negative outcomes. Focusing on this as a possible issue just seems more to fit an agenda than to actually solve a real problem.

I guess what go me thinking about this (and wanting to post my first comment to Techdirt ever), was the idea that developers having personal details of their customers was a bad thing. Especially considering there's no evidence in the article, anecdotal or otherwise, to back that up. I find it borderline insulting to presume that I (and other developers) would be less inclined to protect our/your data than many of the fortune 500 companies who have had HUGE data breaches (many of whom are written about here).

More, to bring up malware as a point of concern when it comes to developers data systems seems sort of silly. What I mean is that, in my experience, developers tend to be highly concerned when it comes to security concerns. Our reputations can be ruined by security issues so it's very much in our best interest to worry a great deal about this. By the way, not to imply we're better at that or that bad things don't happen, just that developers are more "power users" when it comes to their systems than, again, many of the larger companies who have had data breaches. Why worry about developers as the problem?

Personally, I think this is more a privacy policy issue than anything else. I just checked the site I sell my software on and their privacy policy makes it clear that they will share some of your information with developers. To me that's perfectly acceptable. They're plainly stating that your data may be shared and with whom. I do wonder though, how does Steam, Apple, Xbox/Zune, and others handle this? Truly, I have no idea, but I am curious. As a developer, and business owner, if I couldn't have access to my customers information I would definately think twice about using that third party to sell my software. And maybe that's just me (Dan Nolan certainly seems to disagree).

To me, the privacy policy is the story here and not any concern over malware or data breaches from developers having their customers information. "The Lie That Is The Google Privacy Policy" would make a cool title I think ;)

email part seems true

I made an app purchase on Google Play this past December 15th and received a 'Thank you" email from the developer on the 19th. He explained that it would be a one off email and suggested that I email him with any issues or queries.

This had me wondering how he got my email address but it seemed like a reasonable response to my purchase and I had forgotten about it until now.

Re:

Because I should not have information disclosed to third parties without my knowledge and approval. App developers don't need any of that information. They aren't handling payments, Google is.

If I had known this was happening, I would not have purchased any apps. Now that I know, I won't be purchasing any more until/unless this is fixed. If the app developers want my personal information, they can ask me for it.

Re: Sounds more like FUD to me...

It's clear this information is valuable to developers. But it's also valuable to me to be able to withhold it. This should have been disclosed at the least, and there should be an obvious way to opt-out.

I find it ridiculous that the store providing customer details to the software creators would be worthy of note much less concern

You may find it ridiculous, but many people, like myself, find this a very big deal. I go far out of my way to avoid having information about me and my purchases disclosed. Even from the local grocery store, let alone random developers about whom I know nothing.

What's to stop them from putting me on their mailing list, or selling my email address and other details to others? Nothing.

They are welcome to my info...

Re: Re: Sounds more like FUD to me...

But Google does say that they share your information with others. It's right there in their Privacy Policy; this is no secret.

While I completely agree with you that personal information is valuable and something to covet (personally, that's why I'm not on Facebook) if you're going to use a service you would be well served to know what they do with your data before using it.

Re: Re:

Using Services One Doesn't Know

Ok; this is now silly. I went through and read the entire Privacy Policy on Google Play, both of them (yeah, there's two), and they make it clear, to my non lawyer mind at least, that they do in fact share this information. So all of this is based on the assumption of the world working one way when it works the other way.

Look, I'm all for privacy and protecting personal information as much as the next guy but this is silly. Google says they share customer information with people who need it. If customers don't like this, shop elsewhere. If developers don't like it, don't sell there. I really don't think this is as big a deal as it's being made out to be.

Re: Sales tax

IIRC, the transaction is actually between the seller and buyer. Google is only the middle-man.

That may be true legally, but may not be from a customer perception perspective. If I buy something on Amazon's web site that's actually sold by someone else, does that person get my credit card number? I never thought about it before but I hope they don't. Obviously they need my address to send me something, but Amazon (and Google) should only be sending sellers necessary information.

Re: Re: Re: Sounds more like FUD to me...

Just to follow up to my own comment, it looks like the Google Play privacy policy does state, quite clearly, that they share your information with others. They're being upfront about their usage; it's just that customers and developers alike never bothered to research these things.

Re: Re: Re: Sales tax

That is correct. I even tried to look up credit card information after reading this, and didn't see anything.
Additionally, as a developer I found the information useful.
My app is region specific, and several of the users who purchased my app didn't even live in the area the app is designed to work in (why they bought it, I don't know).
However I used the location information Google provided me to add support for those regions into my app. Granted my use case is probably not as common, however it's valuable information.

Re: Sales tax

"Each developer is responsible for paying sales tax for their jurisdiction (since they are the seller, not Google)."

Google is the merchant of record for the credit card transaction and the store is branded as belonging to Google. Both of those things together suggest that Google is the seller, and not the developer. While Google may wish to avoid responsibility for collecting taxes, I doubt it would survive a legal challenge from states in which Google has a physical presence.

The way I see it, developers who sell through Google should no more get my information than Paramount does when I purchase DVDs through Amazon.

I'm put in mind that Google operates in CA, and CA has some new and fairly stringent requirements regarding privacy policies. Would this violate those requirements? (I don't know... I'm asking/speculating.)

Re:

Re: Re: Re: Re: Sounds more like FUD to me...

Just to follow up to my own comment, it looks like the Google Play privacy policy does state, quite clearly, that they share your information with others.

Like I said earlier, it doesn't just say they share your information with "others". It specifically indicates when they will share your information and with whom, and app developers are not on that list. This violates their privacy policy.

Re: Re: Re: Re: Sounds more like FUD to me...

Re: Re: Re: Re: Sales tax

Nobody is disputing that the information is useful to app developers. The issue is that it is being shared without the permission of the users. At a minimum, I should be able to know this is happening prior to my purchasing decision, so I can choose not to purchase. Best case, this wouldn't happen automatically at all, and sharing the information with developers would require a conscious act on my part.

Buyer gets the sellers info too!

It's just as bad for the seller, as the buyer gets his information too!

Just go to checkout.google.com and you can see everything you have ever bought. Click into one of the transactions and odds are you can see the name and address of the person or company that wrote it. So the seller loses all of his privacy as well.